Why the US needs a data privacy law—and why it might finally get one

Op-ed: Among developed countries, only the US and Turkey lack a comprehensive …

The general public and Congress have both discovered geolocation, data breaches, and tracking cookies—and they're worried about the privacy implications. In this op-ed, the Center for Democracy & Technology's Justin Brookman argues that this could be the moment at which everything comes together to make comprehensive privacy reform possible. The opinions in this op-ed do not necessarily represent those of Ars Technica.

With the understandable exceptions of the national debt and the deployments of our troops abroad, privacy is possibly the hottest issue in Congress today. After ten years of limited interest in the subject, we’ve recently seen a spate of legislation introduced to give consumers rights over how their information is collected and shared.

In the House of Representatives, Reps. Bobby Rush (D-IL) and Cliff Stearns (R-FL) have each introduced separate comprehensivebills. In the Senate, John Kerry (D-MA) and John McCain (R-AZ) recently introduced the "Commercial Privacy Bill of Rights" with similar goals. The (Democrat-led) Senate Commerce Committee recently held a hearing on the topic of privacy; the next week, the (Republican-led) House Energy and Commerce Committee looked at the same thing.

In a town where positions on issues are often deeply divided along partisan lines, it’s encouraging to see that there appears to be at least one issue that both parties recognize as a problem that needs to be addressed.

Not much company

Here’s why Congress is interested: today, the United States and Turkey are the only developed nations in the world without a comprehensive law protecting consumer privacy. European citizens have privacy rights, Asian citizens have privacy rights, Latin American citizens have privacy rights. In the US, however, in lieu of a comprehensive approach, we have a handful of inconsistent, sector-specific laws around particularly sensitive information like health and financial data. For everything else, the only rule for companies is just “don’t lie about what you’re doing with data.”

The Federal Trade Commission enforces this prohibition, and does a pretty good job with this limited authority, but risk-averse lawyers have figured out that the best way to not violate this rule is to not make explicit privacy promises at all. For this reason, corporate privacy policies tend to be legalistic and vague, reserving rights to use, sell, or share your information while not really describing the company’s practices. Consumers who want to find out what’s happening to their information often cannot, since current law actually incentivizes companies not to make concrete disclosures.

This has been the case for years, of course, but in the modern era of constant connectivity, social networking, and cheap data storage and processing, the stakes are remarkably higher. Before the advent of the Internet, there were only so many data points for marketers and information brokers to collect about you, and bookstores and libraries didn’t share what you were reading. Even just a few years ago, when you went to a major publisher website, there might have been a couple third-party trackers on the site who could drop a cookie on your computer to “anonymously” track you across other sites. Today, these same sites may deploy hundreds of trackers from dozens of different companies, many of which know your offline identity as well. What happens to all that information? With whom is it shared? No one really knows, and there is no framework to regulate it.

Bad for business

This black box into which our data flows is bad for consumers, but it’s increasingly an impediment to US businesses as well. As Silicon Valley companies encourage consumers to store their personal data in “the cloud,” people are legitimately asking, “Why? What’s going to happen to my data there?” Today, the US is the undisputed leader in cloud computing services, but international competitors are increasingly advertising the fact that their services aren’t US-based. The Department of Commerce recently issued a report arguing that the lack of privacy protections threatens both the adoption of new technologies by worried consumers and the ability to have international data sent to the US. Last week, Forrester Research released a study showing that privacy concerns were the biggest impediment to the growth of e-commerce on mobile technologies.

Companies would be better off if they all provided meaningful privacy protections for consumers, but privacy is a collective action problem for them: many companies would love to see the ecosystem fixed, but no one wants to put themselves at a competitive disadvantage by imposing unilateral limitations on what they can do with user data. It’s fantastic to see companies endeavoring to compete on privacy (such as Google touting the privacy features of its new social network), but so far such competition has been spotty and often takes place at the margins. Many companies that touch and store consumer data don’t have consumer-facing sides (like the ever-increasing number of intermediaries in the behavioral advertising space), so it’s hard to see the Internet ecosystem fixing itself on its own.

And let’s be frank: so far, self-regulation hasn’t been enough. Increasingly, leading multinational corporations have recognized this problem, and companies like Microsoft, Intel, and HP that have heavily invested in cloud technologies have endorsed specific legislative solutions such as the Kerry-McCain and Rush bills to provide consumers with comprehensive privacy protections.

Any privacy law that is enacted doesn’t need to, and shouldn’t, prohibit data sharing or invalidate business models. However, consumers have a right to know what’s happening with their information and to have a say in how it gets shared. If a company insists on sharing data about a consumer as a condition of doing service, fine. As long as that fact is clearly conveyed, and the consumer decides to accept the terms, we shouldn’t put limits on what consumers are willing to do with their own information. Unfortunately, consumers today aren’t even told what’s happening, so they can’t exercise meaningful control over their data unless they take extreme measures to anonymize their surfing though services like Tor or block third-party content (which surely isn’t the right result for anyone).

So will a new law be passed? As with anything in Washington, it’s hard to say what will happen—Congress has a lamentable tendency to kick problems down the road for another day. However, with tremendous attention to privacy issues and widespread consumersupport for basic consumer protections, we have the best opportunity in memory to enact basic rules to give people control of their personal information and to give them confidence in an increasingly complex data ecosystem. We should take advantage of this moment to develop a considered consensus on reasonable baseline protections that work for both consumers and businesses.

Justin Brookman is Director of the Consumer Privacy Project at the Center for Democracy & Technology in Washington, DC.